Aviva Insurance Limited

Privacy Notices

The data controllers responsible for the personal information in this notice are:

• Aviva Insurance Limited (Aviva), as the insurer of the Home and Travel Insurance products, collects and uses personal information about you so that they can provide you with a policy that suits your insurance needs. Some of this information may be collected directly from you and some may be collected from other sources including first direct/HSBC Bank plc, for, example, during the sale of the policy. Aviva is the data controller in respect of your personal information that it has received from first direct/HSBC Bank plc, as distributor and also in respect of any information that it has collected directly from you or from other sources as set out in its Privacy Notice.

• first direct, a division of HSBC Bank plc, 40 Wakefield Road, Leeds LS98 1FD, is responsible for the promotion and distribution of the Home and Travel Insurance products. We will collect and use personal information about you during the promotion and sale of the product which may be provided by you but could also include information that we have previously collected about you, e.g. any information held about you as a banking customer. HSBC Bank plc is the data controller for this information which will be shared with Aviva as set out in its Privacy Notice. first direct Privacy Overview first direct and HSBC Bank plc will share your personal information with Aviva to enable Aviva to provide you with a quote, administer your policy and manage your claims. If you make a claim, any information you give to us, or to Aviva may be put in a register of claims database and it may be shared with other insurers to prevent fraudulent claims.

This provides an overview of:

• the types of information we collect about you • how we collect and use it • who we might share it with • the steps we’ll take to make sure it stays private and secure.

We’ll also explain your rights to your information. This is just an overview of some key points. A full description is contained in the privacy notice which you can obtain by visiting www.firstdirect.com/privacy or if you prefer paper, give us a call on 03 456 100 100 and we’ll send you a copy in the post.

Who we are

When we say ‘we’, we mean first direct, a division of HSBC Bank plc, which is part of the HSBC group of companies. HSBC Bank plc is the ‘data controller’ for the information in this overview. This means we’re responsible for deciding how your information is used to promote and distribute the Home and Travel Insurance products.

The information we collect

We collect information about you from different places including:

• directly from you • from a third party acting on your behalf e.g. an intermediary or broker • from other HSBC companies • from publicly available sources • when we generate it ourselves • from other organisations. We’ll only collect your information in line with relevant regulations and law and this may relate to any of our products or services you apply for, currently hold or have held in the past.

You’re responsible for making sure you give us accurate and up to date information. If you provide information for another person on your policy, you’ll need to, direct them to the privacy notice and make sure they agree to us using it for the purposes set out in the privacy notice.

How we’ll use your information

We’ll use it to provide you with any products and services you’ve requested and other purposes including for example:

• to confirm your identity and address • to understand how you use any other accounts, products or services you hold with us accounts • to carry out your instructions • to improve our products and services • to offer you other services we believe may benefit you unless you’ve asked us not to.

We’ll only use your information where we’re allowed to by law, including for example, carrying out an agreement we have with you, fulfilling a legal obligation, because we have a legitimate business interest or where you agree to it.

We may use automated systems to help us as carry out fraud and money laundering checks.

Who we can share your information with

We may share your information with other companies we work in partnership with and other HSBC Group members. We may also share your information with others outside of the HSBC group including regulators (e.g. the Financial Conduct Authority), insurers, other banks, brokers, agents as well as credit reference and fraud prevention agencies.

Sensitive information

When you apply for insurance, you may need to give us sensitive health information if the insurer needs this to give you a quote. We will keep this information secure and process it in accordance with relevant laws and regulations. Where appropriate, we will ask for consent to collect and use this information.

How long we’ll keep your information

We’ll keep your information for as long as you have a relationship with us. After it ends we’ll keep it where we may need it for our legitimate purposes, to help us respond to queries or complaints, or for other legal and regulatory reasons, including for example, fighting fraud and financial crime and responding to requests from regulators.

Transferring your information overseas

Your information may be transferred and stored in countries outside the European Economic Area (EEA), including some that may not have laws offering the same level of protection for personal information. When we do this, we’ll ensure an appropriate level of protection is maintained

Your rights

You have a number of rights relating to your information e.g. to see what we hold, to ask us to share it with another party, ask us to update incorrect or incomplete details, to object to or restrict processing of it etc. For a fuller statement of your rights and how to complain if you’re unhappy with anything you think we are doing, please see the full privacy notice.

More information

If you’d like more details about anything covered in this summary, please see our full Privacy Notice you can view or download a copy by visiting www.firstdirect.com/privacy or if you prefer paper, give us a call on 03 456 100 100 and we’ll send you one in the post.

Aviva Privacy Notice

In this section “we”, “us” or “our” means Aviva Insurance Limited.

This notice explains the most important aspects of how Aviva use your information but you can get more information about the terms used and view the full privacy policy at: [www.aviva.co.uk/privacypolicy] or request a copy by writing to: Aviva, Freepost, Mailing Exclusion Team, Unit 5, Wanlip Road Ind Est, Syston, Leicester, LE7 1PD

Personal information Aviva collects and how we will use it

Aviva will use your personal information:-

• to provide you with insurance: we need this to decide if we can offer insurance to you and if so on what terms and also to administer your policy, handle any claims and process renewals, • to support legitimate interests that we have as a business: we need this to manage arrangements we have with reinsurers, for the detection and prevention of fraud and to help them better understand their customers and improve their customer engagement (this includes, customer analytics and profiling), • to meet any applicable legal or regulatory obligations: we need this to meet compliance requirements with their regulators (e.g. Financial Conduct Authority), to comply with law enforcement and to manage legal claims; and • to carry out other activities that are in the public interest: for example we may need to use personal information to carry out anti-money laundering checks.

As well as collecting personal information about you, Aviva a may also use personal information about other people, for example family members you wish to insure on a policy. If you are providing information about another person Aviva expect you to ensure that we know you are doing so and are content with their information being provided to them. You might find it helpful to show them this privacy notice and if we have any concerns please contact Aviva in one of the ways described below.

The personal information we collect and use will include name, address, date of birth, and financial information. If a claim is made Aviva will also collect personal information about the claim from you and any relevant third parties. We may also need to ask for details relating to the health or any unspent offences or criminal convictions of you or somebody else covered under your policy. We recognise that information about health and offences or criminal convictions is particularly sensitive information. Where appropriate, we will ask for consent to collect and use this information.

If Aviva need your consent to use personal information, we will make this clear to you when you complete an application or submit a claim. If you give Aviva consent to using personal information, you are free to withdraw this at any time by contacting them in one of the ways described below. Please note that if consent to use information is withdrawn we may not be able to continue to provide the policy or process claims and we may need to cancel the policy.

Of course, you don’t have to provide us with any personal information, but if you don’t provide the information we need we may not be able to proceed with your application or any claim you make.

Some of the information we collect as part of this application may be provided to us by a third party including first direct/HSBC Bank plc. This may include information already held about you within the Aviva group, including details from previous quotes and claims, information obtained from publicly available records, Aviva’s trusted third parties and from industry databases, including fraud prevention agencies and databases.

Credit Reference Agency Searches

To ensure the Insurer has the necessary facts to assess your insurance risk, verify your identity, help prevent fraud and provide you with our best premium and payment options, the Insurer may need to obtain information relating to you at quotation, renewal and in certain circumstances where policy amendments are requested. The Insurer or its agents may undertake checks against publicly available information (such as electoral roll, country court judgments, bankruptcy orders or repossessions(s). Similar checks may be made when assessing claims.

The identity of our Credit Reference Agency and the ways in which they use and share personal information, are explained in more detail at www.callcredit.co.uk/crain

Automated decision making

We carry out automated decision making to decide whether we can provide insurance to you and on what terms, deal with claims or carry out fraud checks. In particular we use an automated underwriting engine to provide a quote for this product, using the information we have collected.

How we share your personal information with others

Aviva may share your personal information:-

• With the Aviva group, our agents and third parties who provide services to us, first direct/HSBC Bank plc and other insurers (either directly or via those acting for the insurer such as loss adjusters or investigators) to help us administer our products and services; • With regulatory bodies and law enforcement bodies, including the police, e.g. if we are required to do so to comply with a relevant legal or regulatory obligation; • With other organisations including insurers, public bodies and the police (either directly or using shared databases) for fraud prevention and detection purposes; • With reinsurers who provide reinsurance services to Aviva and for each other. Reinsurers will use your data to decide whether to provide reinsurance cover, assess and deal with reinsurance claims and to meet legal obligations. They will keep your data for the period necessary for these purposes and may need to disclose it to other companies within their group, their agents and third party service providers, law enforcement and regulatory bodies

Some of the organisations Aviva share information with may be located outside of the European Economic Area (“EEA”). We will always take steps to ensure that any transfer of information outside of Europe is carefully managed to protect your privacy rights. For more information on this please see Aviva’s Privacy Policy or contact us in one of the ways described below.

How long we keep your personal information for

Aviva maintain a retention policy to ensure we only keep personal information for as long as we reasonably need it for the purposes explained in this notice. Aviva need to keep information for the period necessary to administer your insurance and deal with claims and queries on your policy. Aviva may also need to keep information after our relationship with you has ended, for example to ensure we have an accurate record in the event of any complaints or challenges, carry out relevant fraud checks, or where we are required to do so for legal, regulatory or tax purposes.

Your rights

You have various rights in relation to your personal information, including the right to request access to your personal information, correct any mistakes on our records, erase or restrict records where we are no longer required, object to use of personal information based on legitimate business interests, ask not to be subject to automated decision making if the decision produces legal or other significant effects on you, and data portability. For more details in relation to your rights, including how to exercise them, please see the full privacy policy for Aviva Insurance Limited, which can be obtained in the way described above.

Contacting us

If you have any questions about how Aviva use personal information, or if you want to exercise your rights stated above, please contact our Data Protection Officer by either emailing them at: [email protected] or writing to them at Aviva, Level 4 Pitheavlis, Perth. PH2 0NH

If you have a complaint or concern about how Aviva or use your personal information, please contact us in the ways described above in the first instance and we will attempt to resolve the issue as soon as possible. You also have the right to lodge a complaint with the Information Commissioners Office at any time.